Advertisement

Smart OpenID: A Smart Card Based OpenID Protocol

  • Andreas Leicher
  • Andreas U. Schmidt
  • Yogendra Shah
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 376)

Abstract

OpenID is a lightweight, easy to implement and deploy approach to Single Sign-On (SSO) and Identity Management (IdM), and has great potential for large scale user adoption especially for mobile applications. At the same time, Mobile Network Operators are increasingly interested in leveraging their existing infrastructure and assets for SSO and IdM. In this paper, we present the concept of Smart OpenID, an enhancement to OpenID which moves part of the OpenID authentication server functionality to the smart card of the user’s device. This seamless, OpenID-conformant protocol allows for scaling security properties, and generally improves the security of OpenID by avoiding the need to send user credentials over the Internet and thus avoid phishing attacks. We also describe our implementation of the Smart OpenID protocol based on an Android phone, which interacts with OpenID-enabled web services.

Keywords

OpenID Identity Management Single Sign-On Authentication Smart Cards GBA 

References

  1. 1.
    Windley, P.: Digital Identity. O’Reilly Media, Inc. (2005)Google Scholar
  2. 2.
    Liberty Alliance Project. Web page at (2002), http://www.projectliberty.org
  3. 3.
    Chappell, D., et al.: Introducing windows cardspace. MSDN (April 2006)Google Scholar
  4. 4.
    Bertocci, V., Serack, G., Baker, C.: Understanding windows cardspace. Addison-Wesley Professional (2007)Google Scholar
  5. 5.
    Higgins Personal Data Service, http://www.eclipse.org/higgins/
  6. 6.
    Telco 2.0: Telco 2.0 Manifesto - Business Model Innovation for the Digital Economy, http://www.stlpartners.com/manifesto.php
  7. 7.
    Camenisch, J., Fischer-Huebner, S., Rannenberg, K.: Privacy and Identity Management for Life. Springer (2011)Google Scholar
  8. 8.
    Koschinat, S., Bal, G., Rannenberg, K.: Economic Valuation of Identity Management Enablers. PrimeLife Deliverable D6.1.2 (May 2011)Google Scholar
  9. 9.
    Koschinat, S., Bal, G., Weber, C., Rannenberg, K.: Privacy by sustainable identity management enablers. Privacy and Identity Management for Life, 431–452 (2011)Google Scholar
  10. 10.
    OpenID.net: OpenID Specifications, http://openid.net/developers/specs/
  11. 11.
    Uruena, M., Busquiel, C.: Analysis of a Privacy Vulnerability in the OpenID Authentication Protocol. In: IEEE Multimedia Communications, Services and Security (MCSS 2010), Krakow, Poland (2010)Google Scholar
  12. 12.
    van Thanh, D., Jonvik, T., Feng, B., Van Thuan, D., Jorstad, I.: Simple strong authentication for internet applications using mobile phones. In: IEEE GLOBECOM Global Telecommunications Conference 2008 (2008)Google Scholar
  13. 13.
    Urien, P.: Convergent identity: Seamless OpenID services for 3G dongles using SSL enabled USIM smart cards. In: Consumer Communications and Networking Conference (CCNC), pp. 830–831. IEEE (2011)Google Scholar
  14. 14.
    Leicher, A., Schmidt, A.U., Shah, Y., Cha, I.: Trusted Computing enhanced OpenID. In: 2010 International Conference for Internet Technology and Secured Transactions (ICITST), pp. 1–8 (2010)Google Scholar
  15. 15.
    Jorstad, I., Johansen, T., Bakken, E., Eliasson, C., Fiedler, M., et al.: Releasing the potential of openid & sim. In: 13th International Conference on Intelligence in Next Generation Networks, ICIN 2009, pp. 1–6. IEEE (2009)Google Scholar
  16. 16.
    3GPP: Identity management and 3GPP security interworking; Identity management and Generic Authentication Architecture (GAA) interworking. TR 33.924, 3GPP (June 2011)Google Scholar
  17. 17.
    Chen, Z.: Java Card Technology for Smart Cards. Prentice Hall (2000)Google Scholar
  18. 18.
    ISO : ISO 7816-4: Identification cards - Integrated circuit cards - Organisation, security and commands for interchange (2005)Google Scholar
  19. 19.
    SIM Alliance: OpenMobile API Specification v2.0.2 (2011), http://www.simalliance.org
  20. 20.
    Tsyrklevich, E., Tsyrklevich, V.: Single Sign-On for the Internet: A Security Story. In: BlackHat Conference Las Vegas 2007 (2007)Google Scholar
  21. 21.
    3GPP: 3G Security; Generic Authentication Architecture (GAA); System description. TR 33.919, 3GPP (June 2010)Google Scholar
  22. 22.
    Holtmanns, S., Niemi, V., Ginzboorg, P., Laitinen, P., Asokan, N.: Cellular Authentication for Mobile and Internet Services. Wiley (2009)Google Scholar
  23. 23.
    3GPP: 3G security; Security architecture. TS 33.102, 3rd Generation Partnership Project (3GPP) (December 2010)Google Scholar
  24. 24.
    Weik, P., Wahle, S.: Towards a generic identity enabler for telco networks. In: Proc. 12th Internat. Conf. on Intelligence in Networks (ICIN 2008), Bordeaux, pp. 20–23 (2008)Google Scholar
  25. 25.
    Ahmed, A.S.: A User Friendly and Secure OpenID Solution for Smart Phone Platforms. Master’s thesis, Aalto University, School of Science and Technology, Faculty of Information and Natural Sciences (2010)Google Scholar
  26. 26.
    Urien, P.: An OpenID provider based on SSL smart cards. In: 7th IEEE Consumer Communications and Networking Conference, CCNC (2010)Google Scholar
  27. 27.
    Liberty Alliance: ID-WSF Advanced Client 1.0 Specifications. Technical report, (2007)Google Scholar
  28. 28.
    Liberty Alliance: ID-WSF Advanced Client Implementation and Deployment guidelines for SIM/UICC Card environment. Technical report (2007)Google Scholar
  29. 29.
    3GPP: Remote APDU Structure for (U)SIM Toolkit applications. TS 31.115, 3GPP (December 2009)Google Scholar
  30. 30.
    3GPP: Remote APDU Structure for (Universal) Subscriber Identity Module (U)SIM Toolkit applications. TS 31.116, 3GPP (December 2009)Google Scholar
  31. 31.
    Janrain: Python OpenID libraries, http://www.janrain.com/openid-enabled
  32. 32.
    Scripting Layer for Android, http://code.google.com/p/android-scripting/
  33. 33.
    Schmidt, A.U., Leicher, A., Shah, Y., Cha, I.: Efficient Application SSO for Evolved Mobile Networks. In: Proceedings of the Wireless World Research Forum Meeting 25 (WWRF 25), London, UK (2010)Google Scholar
  34. 34.
    OpenID Foundation: OpenID security best practices, http://wiki.openid.net/OpenID-Security-Best-Practices

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Andreas Leicher
    • 1
  • Andreas U. Schmidt
    • 1
  • Yogendra Shah
    • 2
  1. 1.Novalyst IT AGKarbenGermany
  2. 2.InterDigital Communications, LLC.King of PrussiaUSA

Personalised recommendations